chore: add GitHub Actions CI and release workflows#13
Merged
Conversation
Add separate CI jobs for tests, type checks, and linting, plus a cache-free npm Trusted Publishing release workflow.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What is this?
This PR adds GitHub Actions automation for Sniffler so every pull request and
masterpush gets the same basic quality gates, and releases can be published to npm from a controlled workflow. Before this, the repo had no checked-in GitHub workflows for test, typecheck, lint, or release publishing.How does it work?
The CI workflow runs three separate jobs for tests, TypeScript checks, and linting. Each job checks out the repository with read-only credentials, installs pnpm directly, installs dependencies from
pnpm-lock.yaml, and runs the matching project command.The release workflow runs only for
v*tags. It verifies that the tag matches the package version and points to a commit reachable fromorigin/master, then performs a fresh no-cache install, runs the same validation steps, rebuilds the package, inspects the npm package contents, and publishes with npm Trusted Publishing through OIDC. The workflow does not use dependency caches, build artifacts from CI, or long-lived npm publish tokens.Why is this useful?
This gives maintainers consistent pre-merge signal for tests, type checking, and linting while keeping release publishing deliberately stricter than everyday CI. The release path builds from source in a clean job, uses least-privilege GitHub permissions, pins external actions by commit, and relies on short-lived OIDC credentials, which reduces the risk from cache poisoning, leaked npm tokens, or mutable release infrastructure.